Krebs on Security

In-depth security news and investigation

Banks: Card Breach at Goodwill Industries

Heads up, bargain shoppers: Financial institutions across the country report that they are tracking what appears to be a series of credit card breaches involving Goodwill locations nationwide. For its part, Goodwill Industries International Inc. says it is working with the U.S. Secret Service on an investigation into these reports.

Headquartered in Rockville, Md., Goodwill Industries International, Inc. is a network of 165 independent agencies in the United States and Canada with a presence in 14 other countries. The organizations sell donated clothing and household items, and use the proceeds to fund job training programs, employment placement services and other community-based initiatives.

According to sources in the financial industry, multiple locations of Goodwill Industries stores have been identified as a likely point of compromise for an unknown number of credit and debit cards.

In a statement sent to KrebsOnSecurity, Goodwill Industries said it first learned about a possible incident last Friday, July 18. The organization said it has not yet confirmed a breach, but that it is working with federal authorities on an investigation into the matter.

“Goodwill Industries International was contacted last Friday afternoon by a payment card industry fraud investigative unit and federal authorities informing us that select U.S. store locations may have been the victims of possible theft of payment card numbers,” the company wrote in an email.

“Investigators are currently reviewing available information,” the statement continued. “At this point, no breach has been confirmed but an investigation is underway. Goodwills across the country take the data of consumers seriously and their community well-being is our number one concern. Goodwill Industries International is working with industry contacts and the federal authorities on the investigation. We will remain appraised of the situation and will work proactively with any individual local Goodwill involved taking appropriate actions if a data compromise is uncovered.”

The U.S. Secret Service did not respond to requests for comment.

It remains unclear how many Goodwill locations may have been impacted, but sources say they have traced a pattern of fraud on cards that were all previously used at Goodwill stores across at least 21 states, including Arkansas, California, Colorado, Florida, Georgia, Iowa, Illinois, Louisiana, Maryland, Minnesota, Mississippi, Missouri, New Jersey, Ohio, Oklahoma, Pennsylvania, South Carolina, Texas, Virginia, Washington and Wisconsin.

It is also not known at this time how long ago this apparent breach may have begun, but those same financial industry sources say the breach could extend back to the middle of 2013.

Financial industry sources said the affected cards all appear to have been used at Goodwill stores, but that the fraudulent charges on those cards occurred at non-Goodwill stores, such as big box retailers and supermarket chains. This is consistent with activity seen in the wake of other large data breaches involving compromised credit and debit cards, including the break-ins at Target, Neiman Marcus, Michaels, Sally Beauty, and P.F. Chang’s.

I should have some pretty reliable information on Wednesday (7-30-14) about this possible breach.
On a related note, a Wendy’s restaurant POS in central Michigan was hit recently. I have no clue how long it sat there collecting data but hundreds in the area were affected. Prior to the company’s announcement, police said they cannot legally release the name of the company. Is this true? The investigator said the breach occurred while the firewall was down for a few days.

Since a breach involves multiple agencies (read Treasury department, etc.), the “local” law enforcement has ‘traditionally’ been *allowed* to participate, but not really be able to say/do much other than take reports.. at least from what I’ve been privy to.

On the firewall being down… ewwwwwwwps. Was that at the local store, or the HQ? (if you can pass that along)

As a bank, we get notified by Visa eventually, and it is true that we are not allowed to tell who was breached. We don’t always know. I think the thought is that because you don’t know where in the system the breach was (local store, corporate office, card processor, etc.) you don’t want to possibly unfairly damage a business reputation that may not be directly responsible for the breach. That being said, in a large breach, most people figure it out. In a small breach, we don’t always even figure it out because the exposure window could go back for years, and the number of affected cards may be too small. It’s usually only by talking with other banks that you may get a better idea.

This is 0ne of those areas where a few banks excel at catching fraudulent charges. I’ve had a couple of bad charges attempted on my credit card. I got a phone call from the bank right then asking if it was me attempting the charge – and alerting me that my cc had been nabbed.
So, changed twice. Also had where I *was* making a purchase and got declined. Called them, they saw the “odd” activity and locked it. And unlocked it just as quickly.
They also basically told me each time where the breach on my cc occurred, so I wonder as to your statement about legality? May be just because they know I am in this business and that it occurs. Curious.

It seems the secret service is doing a disservice to the security community by muzzling companies that have been hacked. We still don’t have the technical details of what happened at Target. Companies need to know how these attacks worked so that can shore up the defenses. The hackers certainly have that information

CB Terry,
Point 1: Spot on
Point 2: Cards are almost never stored. The point of sale machines usually get attacked with malware that grabs cards during a swipe.
Regarding Target: There was absolutely no executive who was handling security at the time of the breach. A CISO is a must in this day and age. Target now has one but it will likely not prevent 100% of thse issues in the future. Credit cards should have intermediate numbers used for purchases with cards to prevent the constant reissuing of cards.

You would be amazed how many crooks target charities. When I retired in ’03 I began to volunteer to run a residential fire response team for the American Red Cross and to volunteer with Southern Baptist Disaster Relief as a Chaplain and Amateur Radio Operator for disaster response. Folks try to scam us all the time in various ways.

When you respond to a house fire, for example, and meet the residents in their front yard while the fire department is still putting water on the fire, give them a few nights hotel stay and some money for food and groceries, it doesn’t naturally spring to mind that this was an empty house and the people crying and asking for help didn’t live there… but it has to, because it happens all the time.

We can’t help adults without some form of identity showing their name and the address involved because when some folks have a fire they call neighbors and family to come say they live there in order to receive more assistance.

People are, um, interesting. We have to live in a world without trust because of that.

I shop at the Will all the time. When I first heard news about the data breach, I asked a cashier and she said Mn stores weren’t affected but then I read this. Then this weekend at another Twin Cities Goodwill I noticed that when I asked an unrelated question of the cashier she called the manager over, stepped behind the cash register for a moment with my card in hand, and then I saw her fiddling on her phone. She could have taken a photo of my card in that moment so I am a little worried given the lack of news and response via Goodwill on this data breach. yesterday I checked the cc account online at home and it was okay. I am thinking, however, of changing the card number after that little episode.